By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

What are virtual firewalls?

Virtual firewalls are virtual appliances that re-create the functions of a physical firewall. They run inside the same virtual environments as the workloads they protect. Because they sit inside the virtual environment, they apply policy to traffic that is invisible to the physical network, securing it without negating the agility that virtualization brings. They don't necessarily care whether the virtual machines (VMs) are in the data center or floating up to an Infrastructure as a Service (IaaS) environment.

Why the need for virtual firewalls?

Currently more than 97% of companies virtualize servers, and more than 53% of the workloads running in the data center are on virtual servers. During the conversion from physical to virtual, security structures between servers on the physical network are either dropped or they are maintained as physical systems.

When physical firewalls are used to address virtual traffic, this traffic must be routed out of the virtual environment, through the physical security infrastructure, and back into the virtual environment. This kind of hairpinning adds complexity, increases fragility and decreases the ability to move workloads around. What's more, things only get more difficult as enterprises extend their reach into IaaS environments. Currently, 17% of companies use IaaS, and an increasing number of IT shops are using it for customer-facing work.

Given this, it's clear that IT must secure both the internal virtual environment, as well as the external network. Virtual firewalls can be used for both environments.

If you're considering virtual firewalls for IaaS or other public cloud use, it is important to be sure the virtual appliance you use internally can be provided on your cloud provider's platform. If the virtual appliance only runs under VMware, but you need it to work in a Xen- or KVM-based IaaS environment, you will be out of luck.

Why a single-policy environment for physical and virtual firewalls?

It's best to integrate virtual and physical firewalls into the same policy environment, and it's better to use a single tool set for both. A single environment means business users can be sure that the same access controls will follow their data wherever it flows. A single environment also means IT doesn't have to:

In an ideal virtual firewall scenario, you would have a single firewall vendor that provides a virtual platform running under the hypervisors you need, and you would have tools that manage both virtual and physical appliances.

While multivendor environments are not ideal, there are few tools that manage multivendor firewall solutions. These vendors include FireMon and Tufin.

Virtual firewalls and IaaS: Potential challenges

Before you start jumping those hurdles for IaaS, consider whether a virtual appliance in IaaS will fit into your compliance or security framework. Using a virtual firewall in an IaaS environment, even if it is your own chosen virtual appliance, implies a level of trust in the cloud provider, since VM-to-VM traffic will be visible to whoever controls that environment.

If you can't assert this level of trust for the cloud platforms, you must instead resort to a host-based firewall or VPN solutions that filter traffic in and out of VMs. These consume more resources than virtual appliances because, for example, if a packet gets dropped once at an appliance, it might have to be dropped on every server that would have been sitting behind that appliance. Nevertheless, these host-based firewalls or VPN solutions require no additional level of trust in the cloud provider.

Breaking down IT silos for virtual firewall implementation

Lastly, a very practical point: Systems, security and network folks should not undertake virtual firewall rollout in a vacuum. All three groups must be involved in developing guidelines for when, how and why virtual firewalls will be implemented. All three must have a voice in planning and management, as well as visibility into the virtual firewall infrastructure. Without cooperation, all three teams are bound to step on each other's toes.

About the author:John Burke is a principal research analyst with Nemertes Research, where he advises key enterprise and vendor clients, conducts and analyzes primary research, and writes thought-leadership pieces across a wide variety of topics.

E-Handbook

E-Handbook

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy